Legacy Hardware Offers Hackers a Gateway into Health IT Infrastructure

Jen A. Miller is author of Running: A Love Story. Her work has appeared in The New York Times, Washington Post, CIO Dive, Supply Chain Dive. and Runner's World. She lives in N.J. with her dog Annie Oakley.

The 2 Types of Legacy Medical Device Vulnerabilities

Vulnerabilities around legacy hardware come in two forms. The first is that security hasn’t been a priority when it comes to healthcare hardware. “Modern IT systems are being designed with security baked in from the beginning. That wasn’t the case with medical devices, and still often isn’t the case,” says Christopher Dawson, threat intelligence lead at Proofpoint.

While new devices might be developed with security at least tacked on as an afterthought, legacy hardware is still in use in practices — even if the devices were developed years before ransomware became a high-profile problem.

“These devices stay in clinical practice for years,” says Dr. Christian Dameff, emergency physician and clinical informatics researcher at the University of California, San Diego. “Think of a device conceived using Windows XP that goes into practical and clinical use for eight years. It could be in operation well after Microsoft stops issuing patches for it.” Microsoft stopped supporting Windows XP in 2014.

“You might have a very secure medical device, but it goes into a clinical environment where no one knows anything about security,” Dameff says.

Healthcare data is attractive to hackers because it’s information that can be used over and over again — information like Social Security numbers.

With this type of information, “you can do a lot more damage in the long term,” says Dawson. A weakness in an MRI machine or CT scanner could be a hacker’s entry point into the entire healthcare IT system.

The Dangers of Unsecured Medical Devices

While it hasn’t happened yet, these devices could be hacked to do real patient harm. “There’s a finite amount of time you have to treat a patient having an acute stroke, and a CT scan is vital. If your hospital is suffering a cyberattack and those devices are offline, you can’t take care of your patients,” Dameff says.

In 2017, he and Dr. Jeff Tully, a resident anesthesiologist at the University of California, Davis Medical Center, held the CyberMed Summit, where they simulated a cyberattack on the University of Arizona College of Medicine in Phoenix, where they are both alumni. They were able to hack insulin pumps and a pacemaker.

While stealing patient data is a big problem, Dameff also wouldn’t put it past nation-states to use these vulnerabilities to attack “individuals of high political stature and other important people being taken care of in hospitals,” he says. “Hospitals help people, but if things are manipulated in such a way, they can also hurt people.”